0

The question is about how to handle Authenticated and Unauthenticated routes.

Say you have boolean stored in Redux state which essentially control what a logged in user sees and what an unauthenticated user sees. (Redux is just a placeholder, say you store it in localStorage as second example)

Something about this doesn't sit well with me. Just say the user figured out via inspecting the code that its all about toggling this variable. This opens up all the pages he did NOT have access to, and can lead to all kinds of unexpected behavior on the frontend...Edge cases that were not thought about ( add isLoggedIn to already complicated combinations of states of other variables which control what the user sees.)

Is this okay? Can we just say we as developers are no longer responsible if you try to mess with code in browser dev tools? Or is there a better way to handle Authenticated and Unauthenticated routes?

Note: No confidential data would be yielded by the backend without the required access token. The question is just about allowing unauthenticated users to mess around with pages which were otherwise not visible to them.

D.B.K
  • 410
  • 2
  • 15
  • 1
    You send all the source code with the page request... the end user can inspect it all they want and figure out how to potentially access restricted pages, even if you've implemented protected route components. Protect the data and API endpoints. Do you just have this very general question, or something more specific in mind? Do you need help [creating protected routing](https://stackoverflow.com/a/66289280/8690857) in your app? – Drew Reese Apr 26 '22 at 17:11
  • @DrewReese Thanks for the link to the solution. Similar solution has already been implemented using redux currently, was just wondering if there's a better way – D.B.K Apr 26 '22 at 17:19
  • 1
    Not really, it is basically the standard pattern. I think the saying is something along the lines of "don't ever trust clients, use and validate the access token for each network request." – Drew Reese Apr 26 '22 at 17:24

0 Answers0